A hacker known by the alias EncryptHub (also known as LARVA-208 and Water Gamayun) compromised the early access game Chemia on Steam to distribute an infostealer among users.
Chemia is a survival crafting game currently being developed by Aether Forge Studios. The game is available in early access, and the date for its full release has not yet been announced.
Researchers from Prodaft discovered that the compromise of Chemia occurred on July 22, 2025, when EncryptHub added the HijackLoader malware (CVKRUTNP.exe) to the game files. This malware persists on the victim’s machine and downloads the Vidar infostealer (v9d9d.exe). According to experts, the malware retrieves the address of the command server via a Telegram channel.
Three hours after the first malware was added to Chemia, a DLL file (cclib.dll) containing the second malicious program, Fickle Stealer, was injected. This file uses PowerShell (worker.ps1) to retrieve the main payload from the site soft-gets[.]com.
The Fickle stealer captures data stored in victims’ browsers, including credentials, autofill information, cookies, and cryptocurrency wallet data.
“The compromised executable file appears legitimate to users downloading it from Steam, which adds an element of social engineering to the attack that relies on trust in the platform rather than traditional methods of deception,” say Prodaft. “When users click on the Playtest of this game, found among other free games, they are actually downloading malware.”
Experts remind us that last year EncryptHub used this same malware in a large-scale phishing campaign involving social engineering, which resulted in the hacking of over 600 organizations worldwide.
Prodaft emphasizes that the malware operates in the background and does not affect the game’s performance, so Chemia users might not even suspect a compromise. At the time of writing, the game was still available on Steam.
At the moment, it remains unclear how exactly EncryptHub managed to inject malicious files into Chemia. One theory suggests that an insider may have assisted him. The game developers have not yet made any official statements on their Steam page or social media platforms.
This is already the third case this year involving the discovery of malware on Steam. Earlier this year, malicious games Sniper: Phantom’s Resolution and PirateFi were removed from the platform. Just like Chemia, these games were in early access.
It is worth noting that in the spring of 2025, experts from the Swedish cybersecurity company Outpost24 KrakenLabs published a comprehensive report focused on the figure of EncryptHub. At that time, analysts concluded that he is both a cybercriminal and a bug hunter. The fact is that EncryptHub not only engages in hacking activities but also works as a freelance developer, and recently went as far as responsibly notifying Microsoft about two zero-day vulnerabilities in Windows.
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →